The genius of GDPR is that it forces companies to police each other

The goalposts have shifted.
The goalposts have shifted.
Image: EPA-EFE/Erik S. Lesser
We may earn a commission from links on this page.

The European Union’s far-reaching General Data Protection Regulation (GDPR) launched last Friday amid major fanfare and the clogging of millions of inboxes with heartfelt pleas.

But the genius behind GDPR isn’t just what it means for consumer rights, it’s about how the threat of massive fines means companies themselves will do most of the heavy lifting when it comes to policing and enforcing the broad set of rules.

“Europe has plenty of data protection authorities but it doesn’t have enough to go knocking on every door,” said Simon McGarr, director of the Data Compliance Europe consultancy. “So they’ve had a multi-level compliance structure built into the law where you end up with large companies enforcing compliance on small companies, and so on down the line.”

It’s the large data controllers—the companies responsible for safeguarding the data—who will drive enforcement by requiring that their data processors become compliant and cutting them off if they don’t, McGarr notes. Under GDPR, small companies not only face the financial stress of being compliant, but they will now find themselves competing with their peers for the business of large corporations based on how compliant they are. “Short term, this is a shocking competitive advantage,” said McGarr.

Aaron Tantleff, a cybersecurity expert at law firm Foley & Lardner, said: “Clearly, the drafters of the GDPR realized that by wielding such a large stick, they would be able to force companies into compliance out of fear.”

“Those who are thinking about misbehaving will find themselves with greater liability under the GDPR,” Tantleff said. “Despite the under-funded or under-resourced nature of the supervisory authorities, I do not see those entities letting companies skate by.”

Tantleff added that he’d talked to a number of organizations, who claim the GDPR is just about updating their privacy policies. He believes these firms could be hardest hit by the authorities as they don’t have the internal mechanisms in place to comply with the law.

But once the initial panic around compliance has died down, it is possible that companies could become lax with people’s data again? Paul Jordan from the International Association of Privacy Professionals said that privacy is now a strategic consideration for organizations: “Our data shows that brand management and reputation is more important to companies than avoiding fines.”

While national regulatory authorities will certainly be looking sharper now GDPR is live, funding for them has to come out of individual member states’ budgets, and that could vary wildly.

However, it’s not just up to the big firms to police themselves and their vendors and data processors, EU citizens have also been handed a lot of power and responsibility. It’s up to them to ensure that they keep an eye on where and to what ends their data is being used, too.